Signature time validation for multiple signatures

Could someone please explain to me how I can validate properly a document that is signed and countersigned multiple times ? My problem seems to be that a message signer can have more than one signer ID (in the CertIDs array) but it only has a single SignatureTime. If each signature happens at different time, how can I make sure the linked certificate was valid at the moment of the signature ?

I'm looking into using TElSignedCMSMessage: it looks like it's what I should be using.

A couple of questions:

- When I use the "validate" method of a TElCMSSignature instance and passes it a TElX509CertificateValidator instance, it doesn't seem to using the system store for certificate validation: if I set the "cvoValidateChains" option, I always get "casvIncompleteChain" as result (only the leaf certificate is included in the CMS message, the rest of the chain is in the system store). What I am missing ?
- How can I validate the signature against the data ? Is it included in the "Validate" command ?

- When I use the "validate" method of a TElCMSSignature instance and passes it a TElX509CertificateValidator instance, it doesn't seem to using the system store for certificate validation: if I set the "cvoValidateChains" option, I always get "casvIncompleteChain" as result (only the leaf certificate is included in the CMS message, the rest of the chain is in the system store). What I am missing ?

You should call ElX509CertificateValidator.InitializeWinStorages first.

Quote

- How can I validate the signature against the data ? Is it included in the "Validate" command ?

You should call ElX509CertificateValidator.InitializeWinStorages first.

Ah but I do call it. I use a centralized validator (actually, created and initialized in the object that uses the CMS signatrue). Here is the accesstor for the linked property that initialize the instance if necessary:

if I set the "cvoValidateChains" option, I always get "casvIncompleteChain" as result (only the leaf certificate is included in the CMS message, the rest of the chain is in the system store). What I am missing ?

The validation routine performed by TElX509CertificateValidator is quite strict. Under default configuration this component requires the complete validation data (all the certificates of all the chains used directly or indirectly in the signature along with the relevant CRLs and OCSP responses) to be either available locally or accessible via the Internet. It is possible that some piece of revocation information cannot be retrieved during validation (for example, the OCSP server is down), and thus the overall validation process fails.

To localize the problem, please put the TElX509CertificateValidator object to the most liberal mode by adjusting the following properties:

On last question, if I may: If I understand correctly the csoUseGeneralizedTimeFormat option of the ElCMSSignature.SigningOptions property, it controls whether the signature time will be corrected to UTC when signing.

When I read back the signature, how can I know if the signing time was UTC or local ? The csoUseGeneralizedTimeFormat doesn't seem to be carried in the CMS message itself and it's absent when I reload the message.

In absolutely most of the cases SecureBlackbox won't performs any time zone conversions for you. I.e. it is your task to convert time to UTC before assigning it to the SigningTime property. The csoUseGeneralizedTimeFormat property only tells the component to force usage of ASN.1 GeneralizedTime type when saving time values (if the option is off, either UTCTime or GeneralizedTime will be used, depending on the exact time value supplied).

Quote

When I read back the signature, how can I know if the signing time was UTC or local ?